Greetings,
I have 2 installations of OPNsense - one of these installations has the Wireguard firewall rules in the "Wireguard" interface. The other installation has the Wireguard interfaces in separate OPT interfaces. Both work in 25.1.4.
Upon updating to 25.1.5, the installation using the "Wireguard" interface still passes the VPN traffic, but the installation using the separate Wireguard interfaces is not passing traffic.
Wireguard logs don't show any issues. Firewall logs indicate that the VPN traffic is not being blocked. For now, I've reverted to the pre-installation state with a ZFS snapshot.
Are there any other logs I can collect that might help?
Check Interfaces > Assignments. Possibly your WG interfaces got renumbered.
Quote from: Patrick M. Hausen on April 11, 2025, 03:40:56 AMCheck Interfaces > Assignments. Possibly your WG interfaces got renumbered.
Swapped back to the old snapshot - the interfaces are unfortunately numbered the same as they were prior to the update.
I swapped my individual interface installation back to using the Wireguard Group rules, and everything works again.
Have the same problem with my wireguard vpn. In opnsense webinterface it shows up as connected but no traffic is going throug. On the other side my wg client on opnsense to my vserver is working fine. Is there a known issue allready?
I had similiar issue with WG on version Opnsense 25.1.4_1
Old WG clients were working fine, but it was impossible to have successful connection from ANY NEW client created today.
Moreover Suricata started to hang, flooding the log and my miniPC went with temp over 70C (where normally I have 46-52).
Solution which worked for me:
a) stop suricata
b) remove WG from Suricata inspection.
c) remove completely WG peers, the instance and the interface
d) make a fully NEW WG: the instance, peers and the interface
e) check if that works
f) if works, add in the Suricata interfave WG
g) check again
Hi,
Same here: upgraded OpnSense this afternoon, Wireguard stopped working. The remote peer and the local instance agree on handshake time, TX and RX traffic count (which stay low, i.e. no actual data traffic).
Wireguard is configured to use "wg0" which is assigned "OPT4". It does not seem wrong, does it?
Looking at the Firewall live view, it seems that all traffic is now blocked by the "Block all WireGuard" rule which is part of Rules "WireGuard (Group)".
I do not remember seeing these Rules group name before, has it been renamed from another Wireguard rule? It has been far too long since I configured WG on this firewall. There is "WgVPN" rule group that I remember configuring to enable specific rules for specific device.
However, I do not remember modifying the previous rule group which is now named "WireGuard (Group)". What should be the rules here?
Thanks.
Same exact issue with 25.1.5 update. Wireguard stops working. Rolled back to 25.1.3 and wireguard works again.
Same exact issue with 25.1.5 update. Wireguard stops working. Rolled back to 25.1.3 and wireguard works again.
-> Same for me at 25.1.5_4
Any solution to enable Wireguard on 25.1.5 again?
No handshake possible for any peer.
Quote from: gfreitmi on April 14, 2025, 10:42:10 AMAny solution to enable Wireguard on 25.1.5 again?
WG runs perfectly well here with 25.1.5_4 and 25.4. You need to get way more specific concerning your setup.
i posted a thread a couple weeks ago as well. i never could get it resolved.
but when the new business edition was released i upgraded and it still works...
here is my question. what version of Wireguard is Opnsense running? here is says unknown for free bsd : https://www.wireguard.com/install/#freebsd-kmod-userspace-go-tools
Quote from: DEC670airp414user on April 14, 2025, 12:19:08 PMwhat version of Wireguard is Opnsense running?
root@opnsense:~ # wg version
wireguard-tools v1.0.20210914 - https://git.zx2c4.com/wireguard-tools/
Quote from: eblot on April 13, 2025, 10:05:39 PMHi,
Same here: upgraded OpnSense this afternoon, Wireguard stopped working. The remote peer and the local instance agree on handshake time, TX and RX traffic count (which stay low, i.e. no actual data traffic).
Wireguard is configured to use "wg0" which is assigned "OPT4". It does not seem wrong, does it?
Looking at the Firewall live view, it seems that all traffic is now blocked by the "Block all WireGuard" rule which is part of Rules "WireGuard (Group)".
I do not remember seeing these Rules group name before, has it been renamed from another Wireguard rule? It has been far too long since I configured WG on this firewall. There is "WgVPN" rule group that I remember configuring to enable specific rules for specific device.
However, I do not remember modifying the previous rule group which is now named "WireGuard (Group)". What should be the rules here?
Thanks.
Thanks for the hint about the group rules. I have already used it for my wg client vserver connection. After creating a new rules in the group with source wg vpn adr and the intended targets wg is working again for me. But strange behavoir since i have an wg interface and rules
I can confirm that adding a pass rule under Wireguard (Group) where the source is my wireguard interface allows connections to pass.
So it seems w/ the latest and perhaps the previous update Wireguard (Group) rules take precedence over interface specific rules. I suspect this because my wireguard interface has a pass rule but after update no wireguard traffic passes until a pass rule is added to Wireguard (Group)